chore: commit pending infra playbook changes including ssh initialization script

roles/github/README.md

@@ -5,8 +5,8 @@ This role manages GitHub Organization Rulesets to enforce branch protection and
 ## Governance Rules
 
 ### 1. Global Main Protection
-- **Target:** `main` branch
+- **Target:** `{{ github_target_branch }}` branch
-- **Inclusion:** All repositories (`~ALL`)
+- **Inclusion:** `{{ github_repository_name }}`
 - **Rules:**
   - Prevent deletion.
   - Prevent force pushes (non-fast-forward).
@@ -14,8 +14,8 @@ This role manages GitHub Organization Rulesets to enforce branch protection and
   - Dismiss stale reviews on push.
 
 ### 2. Global Release Protection
-- **Target:** `release/*` branches
+- **Target:** `{{ github_release_branch_pattern }}` branches
-- **Inclusion:** All repositories (`~ALL`)
+- **Inclusion:** `{{ github_repository_name }}`
 - **Rules:**
   - Prevent deletion.
   - Prevent force pushes.
@@ -37,4 +37,22 @@ ansible-playbook apply-branch-protection.yml
 
 ## Configuration
 - `github_org_name`: Defined in `defaults/main.yml`.
+- `github_repository_name`: Optional repository scope. Defaults to `~ALL`.
+- `github_target_branch`: Main branch target. Defaults to `main`.
+- `github_release_branch_pattern`: Release branch pattern. Defaults to `release/*`.
 - `github_rulesets`: Defined in `vars/main.yml`.
+
+## Common usage
+
+Target one repository and one release branch:
+
+```bash
+export GITHUB_TOKEN=your_admin_token
+ansible-playbook apply-branch-protection.yml \
+  -e github_org_name=cloud-neutral \
+  -e github_repository_name=xstream-vpn \
+  -e github_target_branch=main \
+  -e github_release_branch_pattern=release/http3-quic-stable
+```
+
+If you want the rule to apply to all repositories in the organization, keep the default `github_repository_name=~ALL`.

roles/github/defaults/main.yml

@@ -1,4 +1,7 @@
 ---
 github_org_name: "cloud-neutral"
 owner: "{{ github_org_name }}"
-repo: ""
+repo: ""
+github_repository_name: "~ALL"
+github_target_branch: "main"
+github_release_branch_pattern: "release/*"

roles/github/vars/main.yml

@@ -6,11 +6,11 @@ github_rulesets:
     conditions:
       ref_name:
         include:
-          - "refs/heads/main"
+          - "refs/heads/{{ github_target_branch }}"
         exclude: []
       repository_name:
         include:
-          - "~ALL"
+          - "{{ github_repository_name }}"
         exclude: []
         protected: false
     rules:
@@ -30,11 +30,11 @@ github_rulesets:
     conditions:
       ref_name:
         include:
-          - "refs/heads/release/*"
+          - "refs/heads/{{ github_release_branch_pattern }}"
         exclude: []
       repository_name:
         include:
-          - "~ALL"
+          - "{{ github_repository_name }}"
         exclude: []
         protected: false
     rules:
@@ -47,4 +47,4 @@ github_rulesets:
           dismiss_stale_reviews_on_push: true
           require_code_owner_reviews: false
           require_last_push_approval: false
-          required_review_thread_resolution: false
+          required_review_thread_resolution: false

roles/vhosts/acp_server_gemini/tasks/config.yml

@@ -76,7 +76,7 @@
 
 - name: Deploy Gemini ACP systemd service
   ansible.builtin.template:
-    src: gemini-acp.service.j2
+    src: gemini-acp-adapter.service.j2
     dest: "/etc/systemd/system/{{ acp_gemini_service_name }}.service"
     owner: root
     group: root

roles/vhosts/common/files/init_ssh_key.exp

@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+
+if {[llength $argv] != 3} {
+    puts "Usage: ./init_ssh_key.exp <username> <host> <password>"
+    exit 1
+}
+
+set user [lindex $argv 0]
+set host [lindex $argv 1]
+set password [lindex $argv 2]
+
+set timeout 20
+
+spawn ssh-copy-id -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null $user@$host
+
+expect {
+    "*assword:*" {
+        send "$password\r"
+        expect eof
+    }
+    "All keys were skipped because they already exist on the remote system." {
+        expect eof
+    }
+    eof {
+    }
+}